Days after a devastating cyber attack on Wired journalist Mat Honan that exposed security flaws in Amazon's and Apple's online services, Amazon has fixed a problem that helped hackers gain control over Honan's online accounts and remotely wipe his iPhone, iPad, and MacBook.

Honan's story in Wired (a sister publication of Ars), is well worth reading. It stands both as an indictment of Apple's and Amazon's security and a warning to users to take extra precautions. Hackers first took advantage of Amazon's user accounts system to view the last four digits of a credit card linked to Honan's Amazon account. They then used that information to trick Apple's support representatives into thinking they were dealing with Honan. Apple employees "gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account," Wired notes in a followup report.

This followup report reveals that Amazon has issued a policy change that fixes the security hole by no longer allowing people to call Amazon and change account settings like credit cards and e-mail addresses. Previously, Amazon's phone policy essentially allowed hackers to use social engineering tricks on support representatives to learn sensitive information about targets like Honan.

As Honan explained, Amazon allowed users to add a credit card number to an account simply by calling Amazon and providing a name, e-mail address, and billing address. After hackers used this method of adding a credit card number to Honan's account, they hung up—and then called Amazon back to claim they'd lost access to the account. At this point, they provided the fake credit card number, convincing Amazon to let them add a new e-mail address to the account. The next step was going to the Amazon website and requesting that a password reset e-mail be sent to that e-mail address. From there, the hackers could view the last four digits of Honan's credit cards on Amazon's website.

With those four digits (and Honan's username and billing address), hackers convinced Apple to send a temporary password that let them take over his iCloud account and wreak all sorts of havoc. "The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification," Honan wrote.

Wired discovered Amazon's policy change closing this method of attack today, after failing to replicate the exploits hackers used against Honan. Amazon spokespeople did not confirm the change, but customer service representatives told Wired that the policy changes were sent out this morning to enhance user security.

That still leaves Apple, whose security policies are getting deserved scrutiny in the wake of the Honan attack. Apple blamed the hack on its own policies not being followed.

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," Apple told Wired, according to Honan's long analysis of his own hacking. "In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

However, Honan wrote that Apple's tech support confirmed to him—twice—that all that's needed to access someone's Apple ID is "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." Wired was also able to replicate the attack by performing it on another account, using the very same methods hackers used against Honan.

Digital security is becoming ever more important as our various accounts, devices, and digital identities are tied to online services, many of which are connected in ways that can be exploited by hackers. There are steps people can take to protect themselves, such as using different credentials for different accounts, making local backups, and disabling certain location services. Sean Gallagher detailed many of the ways in which you can harden your digital security in a post yesterday.

UPDATE: Apple has temporarily frozen over-the-phone password resets while it figures out what to do next.

The article stated that hackers called the customer support and added a cc to the account which was then used to reset the password.I am not sure how i as a customer could prevent this situation from happening. I actually think that it is not my fault at all.

Apple is not known for a secure company, but does it matter? Not really. Its your money not Apples or Amazons. But these companies should have an interest to secure your assets as well, since if it is not safe you may not make business with them anymore.

The last 4 digits of a credit card, and the last 4 to 6 of a bank account, are considered public info by most banks and pay sites. Apple actually considers this to be "secret" information that can be used to verify identity?!

It's hard to fault Apple too much for this. The information they used "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." sounds like a pretty good selection. What else would you require? Though, they should email the temporary password to the email on the account, not give it to the person on the phone.

To get this, they had to fully compromise the Amazon account. This is the damning part, to me. That you could add a credit card on the phone without veriyfing the accound, when all you need to verify the account is a credit card.

If you read the article Matt put out on Wired he wholeheartedly admits that he was as much to blame as Amazon, Google and Apple.

He daisy chained email accounts tied to all of his accounts, his reset account was not unique (not his personal account) and Google offers second level auth which is pretty hard (not impossible) to crack which makes it NOT worth most idiots time to attempt. He never backed up and he tied all of his devices to the same account, making his hack very painful.

What kills me is, Google provides pretty good tools to deal with this (he choose not to) Amazon's process was horked and they choose to fix it (quickly) but Apple pretty much says "Not our fault" when it is obvious that the weak link was a social engineered attack. Yes I know they said procedure wasn't followed but maybe their procedure is crap...

The worrisome part is that companies like Amazon and Apple (and most of their peers I'm sure) don't do anything about these sorts of security holes until a highly-publicized exploit like this gives them some bad PR. By that point it's too late for many victims.

One reason why I use Discover's Secure Online Account Numbers. A new credit card number can be generated to be used at each organization and is only good at that organization. It's kind of a pain to use but given this scenario I'm glad I've taken the time to do so.

... they had to fully compromise the Amazon account. This is the damning part, to me.

True, but people like to take shots at Apple a lot more than Amazon or Honan.

From the articles I have read about this incident, Honan and Amazon are clearly the front runners for blame, followed closely by Apple. However, so many people have an irrational hatred of Apple (I am guessing because of Apple's success) most of the venom will be directed at them.

... they had to fully compromise the Amazon account. This is the damning part, to me.

True, but people like to take shots at Apple a lot more than Amazon or Honan.

From the articles I have read about this incident, Honan and Amazon are clearly the front runners for blame, followed closely by Apple. However, so many people have an irrational hatred of Apple (I am guessing because of Apple's success) most of the venom will be directed at them.

-kpluck

Obviously Honan for his mistakes is partially at fault, but both Amazon and Apple had/have equally crappy security requirements.

And I'm pretty sure all that irrational hatred probably doesn't quite equal all the irrational love. Also, depending on where you sit on that continuum, it's very possible for rational love and hate to look quite irrational.

It's hard to fault Apple too much for this. The information they used "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." sounds like a pretty good selection. What else would you require? Though, they should email the temporary password to the email on the account, not give it to the person on the phone.

To get this, they had to fully compromise the Amazon account. This is the damning part, to me. That you could add a credit card on the phone without veriyfing the accound, when all you need to verify the account is a credit card.

This whole thing wouldn't be possible without that one oversight.

I disagree.. If the following is true:

"the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file."

Then it kind of makes it out as though you need any credit card, and not the full credit card on file, merely the last 4 digits.

I'm sure many other companies do the same thing, but if that is all that is required at access an account, that a little bit of a red flag..

It's hard to fault Apple too much for this. The information they used "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." sounds like a pretty good selection. What else would you require? Though, they should email the temporary password to the email on the account, not give it to the person on the phone.

They should require information that isn't on every single receipt where you use your card.

It doesn't even take social engineering to get those; a bit of dumpster diving will do.

Go to any family restaurant. Locate the combo ashtray/garbage can right outside the front door. Look inside - you will easily see a dozen or more receipts, unless it's been emptied very recently. You don't even have to do that much, really. Plenty of people leave behind their copy of the receipt on the table. The waitstaff will notice if you take the signed copy, but not the other one.

Those will have your name, the last four digits of your card, and it will even give the type of card, giving them the first digit, as well.

While this won't be the "card on file" for Apple for everyone, for a significant number of people, it will match.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

I think Amazon actually went above and beyond and changed their policy to prevent this from happening in the future, when in reality nothing was terribly wrong with their current process, it was Mat's fault for having everything daisy chained together.

Kudos to Amazon for making changes to prevent careless people from being taken advantage of!

The supermarket gave that printed information only to you, the person who had shown that you knew the entire credit card number: that hardly makes those digits public information. Still, asking for more than the last four digits would be an improvement in security, at least for people who toss credit card receipts where identity thieves can find them. (I usually ask stores to not print a CC receipt on small purchases partly for this reason.)

The Apple policy as described above is weirdly worded: it seems to say first that an (entire) credit card number is needed, but then only the last four digits. Why not ask for the entire number, or at least the last eight digits.

Amazon's policy was even more obviously wrong, since name+email address+mailing address combinations are often easy to find, and that was all that was needed to get some credit card information from Amazon.

It's hard to fault Apple too much for this. The information they used "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." sounds like a pretty good selection. What else would you require? Though, they should email the temporary password to the email on the account, not give it to the person on the phone.

They should require information that isn't on every single receipt where you use your card.

It doesn't even take social engineering to get those; a bit of dumpster diving will do.

Go to any family restaurant. Locate the combo ashtray/garbage can right outside the front door. Look inside - you will easily see a dozen or more receipts, unless it's been emptied very recently. You don't even have to do that much, really. Plenty of people leave behind their copy of the receipt on the table. The waitstaff will notice if you take the signed copy, but not the other one.

Those will have your name, the last four digits of your card, and it will even give the type of card, giving them the first digit, as well.

While this won't be the "card on file" for Apple for everyone, for a significant number of people, it will match.

Umm, no? Email address isn't going to be on any of those. Billing address wont be on the receipts. Dumpster diving cant be done over the internet.

This is all a bunch of fail. 4 point verification may not be perfect, but none of your methods would work. You guys are so focused on the last 4 digits thing you apparently think thats all you need. Maybe read the whole sentence.

I am not saying Apple is perfect. But these guys needed a fully compromised account to compromise Apple, which means they had to start somewhere else.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

Edit: Furthermore, while I agree last 4 digits of your card isn't TOP SEKRIT it's not like a hacker from across the country can read them out a receipt in your wallet. Mat wouldn't have been hacked without the Amazon exploit.

Nobody should be off the hook here, when Apple and Amazon want to manage your accounts, your money, your life, your data, all the things they're getting hooks into, we absolutely should hold them all to a higher standard. All of them, every security hole, every bit.

Amazon's policy was even more obviously wrong, since name+email address+mailing address combinations are often easy to find, and that was all that was needed to get some credit card information from Amazon.

Wrong. That was all that was needed to ADD a credit card to the account. The disconnect in Amazon's policy was only asking for the tail (last 4), billing address, name, and email address to add an additional email address. They probably should have been asking for the shipping address associated to that credit card tail and require that an order had been shipped to that address. However, it's a moot point as they have removed the ability to add credit cards and email addresses over the phone as of today.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

I think being able to add an email to any account and then have a password reset email sent to that email address is a pretty major security hole.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

I think being able to add an email to any account and then have a password reset email sent to that email address is a pretty major security hole.

Arguable, as you needed to know the billing address and credit card tail to be able to add the email address. It was intended to allow account recovery if a user forgot their password and no longer had access to the email address associated with the account. Allowing users to add a credit card over the phone is the more questionable of the two "issues" and has since been resolved. Once again, Amazon is doing the right thing and making it harder for social engineering exploits to succeed. What exactly is Apple doing to prevent it?

... they had to fully compromise the Amazon account. This is the damning part, to me.

True, but people like to take shots at Apple a lot more than Amazon or Honan.

From the articles I have read about this incident, Honan and Amazon are clearly the front runners for blame, followed closely by Apple. However, so many people have an irrational hatred of Apple (I am guessing because of Apple's success) most of the venom will be directed at them.

-kpluck

Note:Amazon stated that this is a security hole and changed their policyHonan admitted to the problems he had and is probably changing his waysApple says "What problem? Someone didn't follow procedure." Apple's 'procedure' allows hackers to use publically available info to access an Apple account. Yes the original hack in this case obtained the last 4 from Amazon, but as another poster noted cash register receipts and other non-secure documents disclose the same info.

Apple is the only named entity in this article that believes public information can be used to identify a user for secure access. The others are correcting their procedures to eliminate this flaw.

Am I missing something, or can I reset any Apple based account just by getting the last 4 digits of their credit card? (plus username and billing address) Grocery receipts, restaurant bills, etc? If so, I don't see how people can construe this as "picking on Apple".

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

I think being able to add an email to any account and then have a password reset email sent to that email address is a pretty major security hole.

Arguable, as you needed to know the billing address and credit card tail to be able to add the email address. It was intended to allow account recovery if a user forgot their password and no longer had access to the email address associated with the account. Allowing users to add a credit card over the phone is the more questionable of the two "issues" and has since been resolved. Once again, Amazon is doing the right thing and making it harder for social engineering exploits to succeed. What exactly is Apple doing to prevent it?

Actually, no: "As Honan explained, Amazon allowed users to add a credit card number to an account simply by calling Amazon and providing a name, e-mail address, and billing address."

So you can add any credit card number to an account, and all you need is the name, e-mail, and billing address. You don't need to know the credit card tail to start off.

"After hackers used this method of adding a credit card number to Honan's account, they hung up—and then called Amazon back to claim they'd lost access to the account. At this point, they provided the fake credit card number, convincing Amazon to let them add a new e-mail address to the account.'

So, with the second step, they've added the e-mail address to the account.

The third step is sending a password reset email to that email address.

The fourth step is using that password reset email to go online and view the final four digits of credit card numbers.

They did not have access to Honan's card tail before the hack began. They used a phony credit card tail, not a legitimate one.

They didn't get Honan's real credit card tail until the fourth step of the hack. And they only got it because Amazon's security policies allowed it to happen.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

I think being able to add an email to any account and then have a password reset email sent to that email address is a pretty major security hole.

Arguable, as you needed to know the billing address and credit card tail to be able to add the email address. It was intended to allow account recovery if a user forgot their password and no longer had access to the email address associated with the account. Allowing users to add a credit card over the phone is the more questionable of the two "issues" and has since been resolved. Once again, Amazon is doing the right thing and making it harder for social engineering exploits to succeed. What exactly is Apple doing to prevent it?

Actually, no: "As Honan explained, Amazon allowed users to add a credit card number to an account simply by calling Amazon and providing a name, e-mail address, and billing address."

So you can add any credit card number to an account, and all you need is the name, e-mail, and billing address. You don't need to know the credit card tail to start off.

"After hackers used this method of adding a credit card number to Honan's account, they hung up—and then called Amazon back to claim they'd lost access to the account. At this point, they provided the fake credit card number, convincing Amazon to let them add a new e-mail address to the account.'

So, with the second step, they've added the e-mail address to the account.

The third step is sending a password reset email to that email address.

The fourth step is using that password reset email to go online and view the final four digits of credit card numbers.

They did not have access to Honan's card tail before the hack began. They used a phony credit card tail, not a legitimate one.

They didn't get Honan's real credit card tail until the fourth step of the hack. And they only got it because Amazon's security policies allowed it to happen.

Yep, understood. It was the combination of the two different customer service steps that allowed the information to be disclosed, and BOTH of those services have been blocked and discontinued. Amazon responded immediately and closed a potential loophole. Apple meanwhile defends its practices.

Seriously folks, Amazon didn't really have a security hole here at all. Even if you got access to the account like what happened with Mat, you aren't able to place any orders with Amazon as you need to verify the credit card information if you choose to ship to a different shipping address.

Um, no. There is a lot someone can do in your account without needing to re-enter the credit card. So, yeah, it was a giant security hole. Could they order stuff for themselves to a new address? No. Could they create plenty of lulz and havoc inside what you thought was your locked account? Definitely.

I think being able to add an email to any account and then have a password reset email sent to that email address is a pretty major security hole.

Arguable, as you needed to know the billing address and credit card tail to be able to add the email address. It was intended to allow account recovery if a user forgot their password and no longer had access to the email address associated with the account. Allowing users to add a credit card over the phone is the more questionable of the two "issues" and has since been resolved. Once again, Amazon is doing the right thing and making it harder for social engineering exploits to succeed. What exactly is Apple doing to prevent it?

Actually, no: "As Honan explained, Amazon allowed users to add a credit card number to an account simply by calling Amazon and providing a name, e-mail address, and billing address."

So you can add any credit card number to an account, and all you need is the name, e-mail, and billing address. You don't need to know the credit card tail to start off.

"After hackers used this method of adding a credit card number to Honan's account, they hung up—and then called Amazon back to claim they'd lost access to the account. At this point, they provided the fake credit card number, convincing Amazon to let them add a new e-mail address to the account.'

So, with the second step, they've added the e-mail address to the account.

The third step is sending a password reset email to that email address.

The fourth step is using that password reset email to go online and view the final four digits of credit card numbers.

They did not have access to Honan's card tail before the hack began. They used a phony credit card tail, not a legitimate one.

They didn't get Honan's real credit card tail until the fourth step of the hack. And they only got it because Amazon's security policies allowed it to happen.

Yep, understood. It was the combination of the two different customer service steps that allowed the information to be disclosed, and BOTH of those services have been blocked and discontinued. Amazon responded immediately and closed a potential loophole. Apple meanwhile defends its practices.

Apple security is a joke. I have found it to be the easiest OS to crack passwords in. At one point in my life i had never used an apple. A friend lost there password. In less than 10 minutes I was able to figure out how to bypass it. Also at the same time my friend could not remember her email passwords. I found all that in the key chain log. The first time it took me 20 minutes to figure out. No hacking was required. I am not a hacker. I use Linux and applied what I know from there to apple. This was a few years ago, but since then I get calls for password recovery, about 3 or 4 times a year. I am able to get it done in about the same time frame every time including access to all the key chain files. One password gets me access to the rest of them. Nothing has changed.

Regardless of what company is to blame, the main point the article raised was that Amazon chose to fix their exposed weakness in this attack whereas Apple is choosing to deny that it has a weakness in the first place. That is total bollocks. Apple needs to step up and fix their end of this entire debacle instead of stating that their security practices are above reproach because if they were, this attack would not have been successful regardless of Amazon's and the victim's part in it. Anything less than that is unacceptable.

Regardless of what company is to blame, the main point the article raised was that Amazon chose to fix their exposed weakness in this attack whereas Apple is choosing to deny that it has a weakness in the first place.

Apple security is a joke. I have found it to be the easiest OS to crack passwords in. At one point in my life i had never used an apple. A friend lost there password. In less than 10 minutes I was able to figure out how to bypass it. Also at the same time my friend could not remember her email passwords. I found all that in the key chain log. The first time it took me 20 minutes to figure out. No hacking was required. I am not a hacker. I use Linux and applied what I know from there to apple. This was a few years ago, but since then I get calls for password recovery, about 3 or 4 times a year. I am able to get it done in about the same time frame every time including access to all the key chain files. One password gets me access to the rest of them. Nothing has changed.

If somebody has physical access to machine, all bets are off. Windows, Linux, or OS X. The only real way to prevent stuff like that is physical security, encryption, and DRM/software that requires the proper password.

Apple security is a joke. I have found it to be the easiest OS to crack passwords in. At one point in my life i had never used an apple. A friend lost there password. In less than 10 minutes I was able to figure out how to bypass it. Also at the same time my friend could not remember her email passwords. I found all that in the key chain log. The first time it took me 20 minutes to figure out. No hacking was required. I am not a hacker. I use Linux and applied what I know from there to apple. This was a few years ago, but since then I get calls for password recovery, about 3 or 4 times a year. I am able to get it done in about the same time frame every time including access to all the key chain files. One password gets me access to the rest of them. Nothing has changed.

If somebody has physical access to machine, all bets are off. Windows, Linux, or OS X. The only real way to prevent stuff like that is physical security, encryption, and DRM/software that requires the proper password.

Haven't even read the article yet. I'm sure it's great. But can we do something about the crazy Siemens Curiosity rover ad running up in the top right corner? I keep my adblocker off on this site because I want to support the site in that small way. But with psycho flash ads like that slowing down my computer every time they re-run I'm tempted to turn it back on.